Overview

overview

10

Static

static

10

B.exe

windows7-x64

10

B.exe

windows10-2004-x64

10

Build.exe

windows7-x64

10

Build.exe

windows10-2004-x64

10

READ.exe

windows7-x64

10

READ.exe

windows10-2004-x64

10

rb.exe

windows7-x64

10

rb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2024, 13:15 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rb.exe

  • Size

    669KB

  • MD5

    ae286ff258c5ec1d15a4fd3f64875d5b

  • SHA1

    576b9e76e385b389f859ee4bde2d12776bbaedca

  • SHA256

    ce0facb2c24c71a20117e27af3aed9d6815500eeadba6e79b472bef539d82769

  • SHA512

    f2cf299e20571701ab7a7ad82103317279e8378f114e3de76b22580eb5e8263a025af1fb653b27323645e0ac63983dcbf6f609154a16e8e9d6c81531c369183b

  • SSDEEP

    12288:dQA0FfTcwpBuV2UxqDmuiLZeUaoFi2XZWfGe615HhAZV8DiKD/KeX:Tuf4wTuV2Ux3uIZeUBi2Te6HWnKrKe

Score
10/10
medusalockerdiscoveryevasionransomwarespywarestealertrojan

Malware Config

Extracted

Path

\Device\HarddiskVolume1\HOW_TO_RECOVER_DATA.html

Ransom Note
<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">118281505A0CD820B7D651C73218F1BED5E5B1CA8F057B8C71129A679C940CF4704C803345BEBA06767B56EB2A5E03463CD0D9A9F8868827C3424277D2E57244<br>379D8DAAAC7729678D6432C2543C5A53CDBABB59D62C271CD30CAD30F5ECC01AC648E5AB6058878F099849E02694917AD2A070523A5ED92BFF8E3749CFF4<br>C7AF0758C4CDC7599D62B47771AC28F1AA1F9AEC8C3EBD7192A5A2AFA0FC1EE95D2758B61C186BA9A2E2F24D10DB3CCE6C1FD9CC8CB68993BF0EC9F3385D<br>366699CEABFFAB38AE9C54700AEC8C11D432C5A73A2E8425C9960BA328D4585E47066CA602BED0628657AF58745536CA80B9DF4C80DD3EA8A7BF3CBA60DD<br>41BF6074C7A5923520E33A1F7E779B11E1482445D1F6FAF6FD943ACAC9CF4D3AAB85FA34A96E1D27B3EE1A60BD12BBA2C9586DEE3474933D1FDA392C37EB<br>76AE7B1566C459E8699BE456035F839F73D0F91840BCBFDCE01F17113A2409EA9401A9F8F40A077FD302EDAF9CFF9B1305B8159016CE0F2DC054C58DC566<br>71970A2868744C8E328F6135CBA6EC9F61FD4A426FCC36E0D9D3CC4C78BBCF9EAF00AD6EC9A81204B4BBEC6F326635345AB6E0CED2998583B33396218B78<br>16EB2EB048D10F2A26C0859D0CCFD1DBA585AF0F1495183BB945910F376051C809A0ED8DDA518A0A3D09B078074DFB6666FD9A0CC21AB6A5CBC6D03E360B<br>EDF0B299851CC7A2B798BB107325</span> <br> <!-- !!! dont changing this !!! --> </div> </div> <!-- --> <div class="tabs"> <!--tab--> <div class="tab"> <div id="tab-content1" class="content"> <div class="text"> <!--text data --> <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br> <!--text data --> <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>.onion</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open <a>qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion </a><br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="help_24_decr1@outlook.com ">help_24_decr1@outlook.com </a> <br><a href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a> <br> <b>* To contact us, create a new free email account on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div> <!--tab--> <!--text data --> </div> </div> <!--tab--> </div> </div> </body> </html>
Emails

href="help_24_decr1@outlook.com

">help_24_decr1@outlook.com

href="help_24_decr2@outlook.com">help_24_decr2@outlook.com</a>

Signatures

  • MedusaLocker

    Ransomware with several variants first seen in September 2019.

    ransomwaremedusalocker
  • MedusaLocker payload 1 IoCs
  • Medusalocker family
    medusalocker
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Renames multiple (190) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 63 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • System policy modification 1 TTPs 3 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\rb.exe
    "C:\Users\Admin\AppData\Local\Temp\rb.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4496
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1372
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4368
    • C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic.exe SHADOWCOPY /nointeractive
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4732
  • C:\Users\Admin\AppData\Roaming\svhost.exe
    C:\Users\Admin\AppData\Roaming\svhost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2424

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    138.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    138.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    228.249.119.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    228.249.119.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.150.49.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.150.49.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.163.245.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.163.245.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    18.31.95.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    18.31.95.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    138.32.126.40.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    138.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    228.249.119.40.in-addr.arpa
    dns
    73 B
     159 B
     1
    1

    DNS Request

    228.249.119.40.in-addr.arpa

  • 8.8.8.8:53
    241.150.49.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    241.150.49.20.in-addr.arpa

  • 8.8.8.8:53
    18.31.95.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    18.31.95.13.in-addr.arpa

  • 8.8.8.8:53
    56.163.245.4.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    56.163.245.4.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    11.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\svhost.exe
    Filesize

    669KB

    MD5

    ae286ff258c5ec1d15a4fd3f64875d5b

    SHA1

    576b9e76e385b389f859ee4bde2d12776bbaedca

    SHA256

    ce0facb2c24c71a20117e27af3aed9d6815500eeadba6e79b472bef539d82769

    SHA512

    f2cf299e20571701ab7a7ad82103317279e8378f114e3de76b22580eb5e8263a025af1fb653b27323645e0ac63983dcbf6f609154a16e8e9d6c81531c369183b

    Download Submit

  • C:\Users\Default\ntuser.dat.LOG2
    Filesize

    536B

    MD5

    d5f24532e4368a8bbb28d98721629a66

    SHA1

    3c013bef72fd3b125af8e32a7932b605ee49da9e

    SHA256

    a9824b3f8650d33df863a3565f46c24ce950674a6ea5bbd972d88d062e69d1c0

    SHA512

    407bd803d254887c9ae56c8f5d2a3ad9bfc4c72d149af7277c7d3be20dd23ecea53c8c817871f9c9fb273c78a197e4e4b4014dc533a985b1a8609d37258df81b

    Download Submit

  • \Device\HarddiskVolume1\HOW_TO_RECOVER_DATA.html
    Filesize

    5KB

    MD5

    7321b09180076ae68af78fec2ff00d77

    SHA1

    48fac87d9ae820e99f1dc8e08b25d8455dcd87fa

    SHA256

    50d9a45212191a9607ab40c4b0a9727ca5847508ae063e2774b7d3a02b9e7196

    SHA512

    e37cdec5231122ce4b96913591696f18d14b4f3e3f8763c5742fca6962e18ebcebf855fe231db354adaf3b2bb5c4eb9f012ea86fcdda8ae2f41933d84bf0390e

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.